[Dnsmasq-discuss] Wildcard Domain resolving does not work with DNSSEC

Mon, 04 Jan 2016 07:11:41 -0800 

Hi,

I found out that resolving of DNSSEC signed wildcard domains does not work 
correctly with dnsmasq. I think the problem is that it looks for a signature of 
the requested domain name and not the wildcard.

The following fails:

$ dig issues.pangaea.de

; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> issues.pangaea.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59252
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;issues.pangaea.de.             IN      A

;; Query time: 18 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jan 04 15:43:42 CET 2016
;; MSG SIZE  rcvd: 46


The reason is: "issues.pangaea.de" is covered by a star domain "*.pangaea.de" 
that is correctly signed (tested from another server - not using dnsmasq):

$ dig +dnssec *.pangaea.de

; <<>> DiG 9.8.1-P1 <<>> +dnssec '*.pangaea.de'
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8436
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;*.pangaea.de.                  IN      A

;; ANSWER SECTION:
*.pangaea.de.           28790   IN      A       134.1.2.171
*.pangaea.de.           28790   IN      RRSIG   A 7 2 28800 20160109144508 
20151226151023 12714 pangaea.de. 
jwQUt4OJRlBEE3PUF6cEWJA6gOLWPpBWYbJHLIkR4tdGJh/kmtOk7T9Q 
MlSbChj51bhkV6oCQ++OhrsogYJ9qFpcVz8kVlEEfs08/Z1kNBe/dg3m 
HaAiyVVwONdyfe6dSfcYR3ZrH1PBWuxHDdbO8zGI8xGThSuZiIi1WEFC L64=

;; AUTHORITY SECTION:
pangaea.de.             28790   IN      NS      ns2.domaindiscount24.net.
pangaea.de.             28790   IN      NS      ns3.domaindiscount24.net.
pangaea.de.             28790   IN      NS      ns1.domaindiscount24.net.
pangaea.de.             28790   IN      RRSIG   NS 7 2 28800 20160109071640 
20151226151023 12714 pangaea.de. 
l7sVnSXwN21lXvsANvjVxGyeh3c3rxlmg3ctfAShdvZpS/otk7L/HN8p 
O3sSJ83HFfl7QAmfoF/P3cy2yilmykJv3von/ojzXVeS3tpTAUzfALql 
maoKds12FcjyLVJDgEzi0xKG/DTmm2KG1bZHzXPzMVb4beZnzFN5twLK W+g=

;; Query time: 0 msec
;; SERVER: 85.25.128.10#53(85.25.128.10)
;; WHEN: Mon Jan  4 14:42:43 2016
;; MSG SIZE  rcvd: 471

How should this be solved? This is another one where dnssec fails, so clearly a 
bug.

There is a test page about exactly that case, which fails for me when resolving 
through dnsmasq: http://0skar.cz/dns/en/

Uwe

-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: u...@thetaphi.de




_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to